Google revealed on Thursday that it is extending its Android bug bounty program, and certain forms of vulnerabilities may now win researchers up to $1.5 million. Google says it’s spent over $4 million on more than 1,800 vulnerability reports since its Android Security Rewards in 2015. Over the last year, payouts totalled more than 1,5 million dollars and the highest single reward earned was just in 161,000 dollars in 2019.
This year, Guang Gong of the Chinese cybersecurity firm Qihoo 360 received the highest award. In reality, the researcher gained over $200,000 for a single exploit chain, as he showed how an attacker could remotely perform arbitrary code with an Android and Chrome vulnerabilities on a Pixel 3 phone — Chrome faults gained him another $40,000. It took just one click to activate his exploit.
Google has now announced significantly higher awards with the Android Security Rewards program, including a $1 million fee for a Titan M pixel feat, which is also eligible for a 50 percent bonus if the operating chain works on some Android developer preview versions. Google offers the highest reward for a full chain execution of remote code which offers persistence on the device and compromises Titan M’s security chip.
White hat hackers who demonstrate the Pixel Titan M Chip-protected data exfiltration method can now gather up to $500,000 and up to $250,000 for Secure Element data exfiltration.
The new category introduced to the Android bug bounty scheme includes workaround methods for lockscreen. For these types of attacks, researchers can receive up to $100,000.
Remember that Zerodium, the acquisition company that claims to offer services primarily to public organizations, currently provides up to $2.5 million for the Android operating chain which does not require any clicks and guarantees longevity on the targeted phone. A single-click iOS exploit chain which offers persistence on the device is worth up to 2 million dollars.